Top Tips from the conference
Fines
Attitudes by card companies to non compliance are hardening. Fines for breaches can be very significant, provide recent examples to your CFO as this will get his attention if you are having problems with funding.
Costs and Funding
Most companies create a separate budget for PCI compliance. The increased costs incurred can be significant but these would be outweighed in the event of a breach many times over.
If PCI can be made a mandatory project at Board level, life is (much) less difficult.
Some organisations have re-negotiated fees levied by acquirers.
Map PCI to other standards you may use. Where possible utilise documentation and audits from other compliance programmes to save doing the work twice.
Mapping
Take a rigorous approach to investigating and mapping existing systems processes and practices. In particular look for the use of manual processes, spreadsheets, and email in the handling of customer and credit card information.
Scoping
Be ruthless in challenging the need to hold or handle credit card data. Having ‘binned’ as much as possible, agree the reduced scope with your QSA or internal compliance expert.
Segment networks and truncate PAN data wherever you can.
Every network-attached device is in scope – despite inconsistent advice on whether or not PCs are in scope.
Gap Analysis and Remediation
After completing a Gap analysis use a database tool to track remediation progress. Make sure all changes are properly documented and easy to find in the audit process.
QSAs
Identify the internal skills you have and use them before engaging a QSA.
When using external QSAs interview carefully, look for proven expertise in your type of environment particularly where mainframes are concerned.
Identify any potential conflicts of interest they may be aligned to certain products or solutions.
Conflicting advice from QSAs is a common problem at present. Don’t rely on a single external QSA, use more than one and get internal staff trained.
However make sure you use the same QSA for pre and final audits.
The Council is bringing out a Quality Assurance programme for QSAs, feedback any issues you may have directly to them.
Compensating Controls
Compensating Controls need to pass the scrutiny of both the QSA and the acquiring bank or card brand. They will be re-visited annually.
There are no Compensating Controls for CV2 or Merchant Numbers.
Wireless networks
Use software tools to discover Wireless Access Points. Segment the network to de-scope some of them.
Open source software
Some organisations have successfully used Open Source products, two worth looking at are: Nipper (network device configuration and security audit) and Tripwire (software security and data integrity tool).
Maintenance post Compliance
Make sure the maintenance phase post compliance is properly resourced with internal staff having the right training and skills. Use a programme management approach using tools to track progress against changing circumstances and requirements. Implement regular reviews.
Approach/philosophy
PCI DSS is not risk-based. To get compliance, you have to meet the standard and pass the assessment.
Best practice
Examplar companies have good practice in handling card data, which happens to be PCI DSS compliant.
Compliance can be used for competitive differentiation.
|
Top Tips
